cool cheers, lookin forward to these perl scripts, were they hard to write?
Hard to write? No, not at all…
Hard to write? No, not at all…
I'd think Harlan the hard part is knowing what to write. P
Yes, it is. For me, anyway.
The REAL hard part is knowing *how* to write it so that others will use it. Anything run from the command prompt (ie, not double-clicked with a nice GUI) is extremely intimidating to a great many forensic investigators. What most folks just don't understand is that while its not hard to write something like that once you know what it is you need to do, guys like me are not big software development shops. Also, "feature requests" (that usually start off with "…you should…") generally don't go very far, because the truth is, like everyone else, I need to feed my family. 😉
Yeah i'd definately say it would be finding out what to write that would be the hard part, i have some experience with perl.
I'm sort of in that position, for my final year at Uni i need to program a forensic tool (I'll be writing in c++). I don't know how much it has to do but i was thinking of making it read from unallocated and slack space and extract protected files. I realise that by no means would i be creating anything new here but yeah its a uni project. Hopefully it will have a GUI.
> read from unallocated and slack space and extract protected files.
First off, what are "protected files"? Anything in unallocated or slack space will be deleted, most likely. This means that the sectors that make up the files may or may not be contiguous. Also, sectors that make up the file may be overwritten. As I've mentioned before, XP does a great deal of antiforensics on its own.
First off, what are "protected files"?
haha i knew you would ask that keydet, well for arguments sake lets just say to at least extract the SAM file.
Anything in unallocated or slack space will be deleted, most likely. This means that the sectors that make up the files may or may not be contiguous. Also, sectors that make up the file may be overwritten. As I've mentioned before, XP does a great deal of antiforensics on its own
Yeah, i'm just going to write it so it reads from unallocated and slack space, if sectors are not contiguous i don't care, if sectors are overwritten i dont care, as long as i write this program and it gets me the mark i would like.
I've just got your book today, looking forward to reading it tonight before i hit the Jim Beam 😉
The REAL hard part is knowing *how* to write it so that others will use it. Anything run from the command prompt (ie, not double-clicked with a nice GUI) is extremely intimidating to a great many forensic investigators.
Looking foreward to using these in a few weeks. Thanks for the Reg' chapter. I'm so rusty after 8 years in the Mac OS.
Tanks Mon!